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Abstract — In a secure message transmission (SMT) scenario a 
sender wants to send a message in a private and reliable way to a 
receiver. Sender and receiver are connected by n vertex disjoint 
paths, referred to as wires, t of which can be controlled by 
an adaptive adversary with unlimited computational resources. 
In Eurocrypt 2008, Garay and Ostrovsky considered an SMT 
scenario where sender and receiver have access to a public discus- 
sion channel and showed that secure and reliable communication 
is possible when n > t + 1. In this paper we will show that 
a secure protocol requires at least 3 rounds of communication 
and 2 rounds invocation of the public channel and hence give 
a complete answer to the open question raised by Garay and 
Ostrovsky. We also describe a round optimal protocol that has 
constant transmission rate over the public channel. 

Index Terms — SMT, public discussion, round complexity, MPC. 



I. Introduction 

DOlev, Dwork, Waarts and Yung (5) introduced Secure 
Message Transmission (SMT) systems to address the 
problem of delivering a message from sender S to receiver 
TZ in a network guaranteeing reliability and privacy. S is 
connected to TZ by n node disjoint paths, referred to as wires, 
t controlled by the adversary with unlimited computational 
power. 

A perfectly secure message transmission or PSMT for short, 
guarantees that TZ always receive the sent message and the 
adversary does not learn anything about it. It was shown that 
PSMT is possible if and only if n > 2t + 1. See 0, flU, 
fl8l . 0, 0, E3] for more references. Franklin and Wright 
(9) relaxed the security requirement of SMT protocols and 
proposed probabilistic security in which two parameters e and 
5 upper bound the advantage of the adversary in breaking 
privacy, and the probability that 7Z fails to recover the sent 
message, respectively. In a PSMT protocol e = S = 0. In this 
paper we refer to these protocols as almost SMT protocols. 
We refer interested readers to Q, [12), (TJ, |[T5ll . 

Franklin and Wright [9] also considered a model where an 
additional reliable broadcast channel is available to S and 1Z. 
A broadcast channel guarantees that all nodes of the network 
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receive the same message. We refer to this model as Broadcast 
Model (BM). They showed that PSMT in this model requires 
n > 2t + 1, but probabilistic security can be obtained with 
n > t and gave a 3-round (0, S) protocol in this model. 

Garay and Ostrovsky ifTTI replaced the broadcast channel 
with an authentic and reliable public channel that connects S 
and TZ. A public channel is totally susceptible to eavesdropping 
but is immune to tampering. We refer to this communication 
model as Public Discussion Model (PDM). Garay and Ostro- 
vsky [11] gave a 4 round protocol with probabilistic security 
when n > t, which shows that the connectivity requirement 
for PDM is the same as the broadcast model. 

Efficiency parameters of SMT protocols are, (i) the number 
of rounds where each round is one message flow between S 
and TZ, or vice versa, and (ii) the communication efficiency 
measured in terms of transmission rate which is the total 
number of bits sent over all wires for a message divided by 
the length of the secret. 

Round complexity in PDM is measured by a pair (r, r') 
where r is the total number of rounds and r' is the number of 
rounds that the public channel is invoked (r > r'). 

Related models: Pubic channel has been used in other 
contexts including unconditionally secure key agreement lfl4l 
where the public channel is used for the advantage distil- 
lation, information reconciliation and privacy amplification. 
The public channel in this case is a free resource and its 
communication cost is not considered. In PDM however, the 
cost of realizing a channel in a distributed system is taken into 
account. 

A. Our Results 

Garay et al. IfTTI proposed a (4, 3)-round protocol and 
subsequently improved its round complexity to (3,2)-round 
ifTOl . However it was not known if this round complexity was 
optimal. 

The main result of this paper is to prove that the minimum 
values of r and r' for which an (r, r')-round (e, 6) protocol 
can exist are 3 and 2, respectively. This answers the question 
of round optimality of almost SMT protocols in PDM that was 
raised in IfTTI . 

Our results on round optimality are obtained in three steps. 
We first prove that there is no (2, 2)-round (e, 8) protocol in 
PDM with e + S < 1 - 1/|M| when n < 2t, where M denotes 
the message space. This means that message transmission 
protocols in PDM with (2, 2) -round complexity will be either 
unreliable, or insecure. 

In the second step we will show that when the invocation of 
the public channel does not depend on the protocol execution 
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TABLE I 

Main results on lower bounds of connectivity and round of SMT protocols in PDM 



Tvne 


Resiliency 


Round 


Construction 


Transmission Rate 


(6,5) 

e + s < 1 ~m 


n < It 


(2,2) 


Impossible 
(Theorem 




[s,sy 

and <5< 1(1- THT) 


n<2t 


(r, l),r > 3 


Impossible 
(Theorem [3) 




(e, 5)-PD-adaptive** 
3£ + 2«5<l-^ 


n<2t 


(3,1) 


Impossible 
(Theorem |4) 




(0,5) 


n > t 


(3,2) 


V 

0, ED, (Theorem |5J 


[91, [10]: O(n) on wires and public channel 
ours: 0(n) on wires and O(l) on public channel 
when the length of message is Q((n log 5) 2 ) 



* the invoker of public channel is fixed initially in the protocol 

** the invoker of public channel is not fixed initially but adaptive to real execution of the protocol 



and is statically determined as part of protocol description, 
there is no (r > 3, 1) -round (e,5) protocol with e + 8 < 
1 - 1/|M| and S < |(1 - 1/|M|) when n < 2t. 

Then we generalize this result to the case that the invoker of 
the public channel is not fixed at the start of the protocol and is 
adaptively determined in each execution, and show that there 
is no (3, l)-round (e, 6) protocol with 3e + 26 < 1 — 3/|M|. 

We also construct a round optimal protocol that has constant 
transmission rate over the public channel when the length of 
message (i.e., log|M|) is £l((nlog8) 2 ) bits long. 

Table J] summarizes our results and puts them in relation to 
others' works. 

B. Discussion 

One of the main motivations for studying SMT is to reduce 
connectivity requirement in secure multiparty protocols 0, 
El, fl6l . Secure multiparty protocols require a secure and 
reliable channel between every two nodes and so require the 
network graph to be complete. Using an SMT protocol one 
can simulate secure connection between any two nodes using 
a network with sufficient connectivity, that is n disjoint paths 
(and not direct link) between any two nodes where n > 2t. 
Secure message transmission in PDM can further reduce 
connectivity (n > t) as long as there is an authentic public 
channel. This is the lowest possible connectivity and shows 
that two nodes can securely communicate as long as there 
is one uncorrupted path between them (and a public channel). 
Realizing a public channel in an point-to-point sparse network 
however is costly. For example it is possible to simulate such 
a channel using almost-everywhere broadcast protocol [11] 
that uses almost-everywhere Byzantine agreement protocol [6]. 
It is shown lfl9l that in degree-bounded networks agreement 
on a single bit using almost-everywhere agreement protocol 
requires at least O(logiV) rounds communication, where N 
is the number of nodes in the network. 

The high cost of simulating the public channel is the moti- 
vation for reducing the number of invocation and transmission 
rate of such a channel. 

C. Organization 

Section 2 describes the security model and relevant defini- 
tions. Lower bounds on round complexity of SMT protocol in 



PDM are proved in Section 3. Section 4 describes an round 
optimal (0, <5)-SMT by public discussion protocol. Finally we 
draw a conclusion in Section 5. 



II. Preliminaries 
A. Model and Notations 

Network model. We assume a synchronous, connected point- 
to-point incomplete network. Players S and 1Z are connected 
by n vertex-disjoint paths, called wires. In addition to the 
wires, we assume there is an authentic and reliable public 
channel between S and 1Z. Messages over this channel are 
publicly accessible and are correctly delivered to the recipient. 
All wires and the public channel are bidirectional. SMT 
protocols proceed in rounds. In each round, one player may 
send a message on each wire and the public channel, while 
the other player will only receive the sent messages. The sent 
messages will be delivered before the next round starts. 
Adversary model. The adversary A is computationally un- 
bounded. A can corrupt nodes on paths between S and 
7Z. A wire is corrupted if at least one node on the path 
is corrupted. We assume up to t < n — 1 wires can be 
corrupted by the adversary. A can eavesdrop, modify or block 
messages sent over the corrupted wires. A is assumed to 
be adaptive, meaning that she can corrupt wires during the 
protocol execution based on the communication traffic it has 
seen so far. 

We also consider static adversary by which we mean that 
the adversary chooses the corrupted wires before the start of 
the protocol. A static adversary will however act adaptively 
during the protocol execution with regard to messages that 
are sent over the corrupted wires: in each round the adversary 
sees the traffic over all the corrupted wires and the public 
channel before tampering the traffic over the corrupted wires 
in that round. 

Notations. Let M be the message space. Let M$ denote the 
secret message of S, and Mr the message output by 1Z. We 
use _L to denote null string and to denote empty set. The 
notation u <—U denotes that a value u is sampled uniformly 
from a set U. 
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B. Definitions 

The statistical distance of two random variables X, Y over 
a set U is given by, 



A(X, Y) = - ^ I Pr[X = u] - Pr[Y = u] 



ueu 



(1) 



Lemma 1: [20] Let X, Y be two random variables over 
a set hi. The advantage of any computationally unbounded 
algorithm T> : U — > {0, 1} to distinguish X from Y is 

| Pi[V{X) = 1] - Pr[D(Y) = 1]| < A(X, Y). 

In an execution of an SMT protocol n, 5 wants to send 
Ms 6 M to K privately and reliably. We assume that at the 
end of the protocol, 1Z always outputs a message Mr £ M. 

An execution is completely determined by the random coins 
of all the players including the adversary, and the message 
distribution of Ms- For P £ {S,TZ,A}, the view of P 
includes the random coins of P and the messages that P 
receives. Denote by Va(w, ca) the view of A when the 
protocol is run with Ms = m and A's randomness Ca = ca- 

Definition 1: A protocol between S and 1Z is an (e,8)- 
Secure Message Transmission by Public Discussion 
(SMT-PD) protocol if the following two conditions are sat- 
isfied: 

• Privacy: For every two messages mo, mi s M and ca £ 

{0,1}*, it has 

A(VA(m ,c A ),VA(mi,CA)) < e, 

where the probability is taken over the randomness of S 
and 1Z. 

• Reliability: 1Z recovers the message Ms with probability 
larger than 1 — 6, or formally 

Pr[M fl + M s ] < 5, 

where the probability is over the randomness of players 

S, 1Z and A, and the choice of Ms. 
Observe that the above definition is oblivious of the message 
distribution, meaning that given an SMT-PD protocol, it will 
be secure with the same privacy and reliability parameters 
regardless of the concrete distribution over M. 

III. Round Complexity of SMT-PD Protocol 

By the similarity of broadcast model and public discussion 
model, we recall Franklin and Wright's results (9) in our 
language as follows. 

Theorem 1: Il9l If n < 2t, then: (i) For any values r > 
r', it is impossible to construct (r, r')-round (0,0)-SMT-PD 
protocols; (ii) For any values r > and < e < 1, it is 
impossible to construct (r, 0)-round (e, J)-SMT-PD protocols 
with 6 < |(1 - fa). 

In this section, we will prove when n < 2t any (e, <5)-SMT- 
PD protocol needs (3, 2)-round complexity. This is by proving 
that: (i) secure (2, 2)-round (e, <5)-SMT-PD protocols do not 
exist, and (ii) for any (3, l)-round protocol, either privacy or 
reliability can be compromised. 



The following lemma plays a central role in proving the 
impossibility results in this paper. Loosely speaking, the 
lemma shows that for an (e, <5)-SMT-PD protocol no algorithm 
that is given the adversary's view as the input, can output Ms 
with a probability much better than random guess. 

Lemma 2: Let II be an (e, <5)-SMT-PD protocol and assume 
S selects Ms *— M. Then no adversary A can correctly guess 
Ms with probability larger than e + 1/|M|. That is, 

Pi[M A = M s ] < £ + 1/|M|, 

where Ma denotes the adversary's output, and the probability 
is taken over the random coins of S, 1Z and A. 
In proving Lemma [2] we need the Lemma [3] below (See 
Appendix lAl for its proof). 

Lemma 3: Consider an (e, i5)-SMT-PD protocol II and an 
adversary B that plays the following game: the challenger C 
sets up the system; B selects two messages Mo, Mi from M 
and gives them to a challenger C who selects b <— {0, 1} and 
runs the protocol (by simulating S, 1Z) to transmit B can 
corrupt up to t wires and finally outputs a bit b'. 

Let B n(Mb ^() be the output of B when b is selected by C 
in the simulation. Then 



Pr[B 



n(Afo) 



() = 1] -Pr[B u(Ml \) = 1] 



(2) 



where the probability is taken over the randomness of C and 
B. 

Proof: (of Lemma |2|i The proof is by contradiction: 
assume that there is an adversary A that can output Ma with 
probability Pr[M^ = Ms] > e + 1/|M|. We will construct 
an algorithm B to invalidate Eq.© . 

The code of B is as follows: B randomly chooses two 
messages (Mo, Mi) £ M and asks its challenger C to transmit 
one of the two messages. C chooses a bit b <— {0,1} and 
simulates S,7Z to run protocol II in transmitting Mj,. B runs 
adversary A as a subroutine to attack the protocol. B answers 
.A's queries by forwarding them to the challenger and returning 
the results back to A. At the end of the protocol A outputs 
a message in M (which can be different from Mi and Mo). 
B outputs 1 if A outputs Ml, and outputs 0, otherwise. Note 
that B will have the complete view of A. Then 



Pr [ i3 n(Af 1 )() = i] 

= Pr[M^ = Mi | C has chosen Ml] > e 



1/|M|, 



and 



p r [gn(M )Q = !] 

= Pr[M4 = Mi | C has chosen M ] = 1/|M| 



(3) 



Note that Eq.© follows by that fact that Mi is chosen 
independent of Mo and the randomness of players S and 1Z 
in the simulation of C and so the probability of A's output 
to be equal to Mi (which is chosen randomly) is at most the 
probability of random guess which is 1/|M|. Hence, we have 
Pr[B n(Ml) () = 1] -Pr[£ n(Mo) () = 1] > e, contradicting 
Corollary [3] ■ 
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A. Impossibility of (2, 2)-Round (e, 8)-SMT-PD Protocol when 
n<2t 

The impossibility proof needs to analyze the actions of the 
adversary in rounds, hence we start by decomposing an SMT- 
PD protocol into rounds as follows. 

Definition 2: For a (r, r')-round SMT-PD protocol, the 
functionality of the protocol is described as a sequence of 
randomized functions (fi, . . . , f r , g). 

The function fi denotes the round encoding function that 
is used to generate the traffic sent in the i-th round. The input 
of fi consists of the received messages of previous rounds 
and random coins of the caller. For a player P 6 {S, TZ}, 
Cp denotes the random coins of P, and M p denotes the set 
of all messages received by P during the first i rounds with 
M° s = {Ms} and = 0. If the initiator of round 1 < i < r 
is P, we write PiXiYi = /^(M^T 1 , Cp) to denote the random 
variable corresponding to traffic in round i; here Pi denotes 
the traffic over the public channel, and Xi and Yi denote the 
traffic over the corrupted wires and the uncorrupted wires, 
respectively, or vice versa. 

The function g denotes the decoding function. By the end 
of the protocol TZ outputs M R = g(M r R ,C R ). 

Theorem 2: Let n < 2t. Then there is no (2, 2)-round 
(e,<5)-SMT-PD protocol with e + 5 < 1 - 1/|M|. 

The proof is by contradiction: suppose there exists a (2, 2)- 
round (e, (5)-SMT-PD protocol II with e + 5 < 1 - 1/|M|. 
We construct an adversary A that breaks the privacy of II by 
impersonating TZ. We show that for each execution of II where 
S sends a message m to TZ, there exists a second execution 
called swapped execution where S sends the message m but 
A impersonates TZ such that S receives identical traffic in 
the two executions and so cannot distinguish the two. The 
views of TZ and A are however swapped in the two executions, 
and so if TZ outputs Mr — Ms in one of the executions, 
then A outputs Ma = Ms in the swapped execution and so 
Pt[M a = M s ] > Pr[M R = M s }. Using Lemma fj and that 
IT is an (e, 5)-SMT-PD protocol, we have £ + <5>l-l/|M| 
which is a contradiction. 

Proof: Assume by contradiction that there is a (2, 2)- 
round (e, <5)-SMT-PD protocol IT with e + S < 1 - 1/|M|, and 
the message distribution over M is uniform. Suppose wires 
are labeled by 1,2, ... ,n, and n — 2t. (Note if there exists an 
(e, (J)-SMT-PD protocol for n' < 2t, the same protocol can be 
run for n — 2t by neglecting the last n — n' wires. Thus an 
impossibility result for n = 2t still holds for n' < 2t.) 

The adversary is assumed to be static in the following. That 
is, the corrupted wires are selected at the start of the protocol. 
The impossibility results obtained for such adversary will hold 
for more powerful adaptive adversaries who will corrupt the 
wires during the running of the protocol. 

We write A's randomness as Ca = (Cao, Cai) where 
Cao €E {0, 1} is used to select one of the two sets of t wires: 
{1, ...,<} or {t+ 1, ... , 2t} for corruption and Cai 6 {0, 1}* 
is used for encoding and decoding of the traffic. Let Cao = 
and Cao = 1 denote the first and the last t sets of wires will 
be corrupted, respectively. 



Before going ahead, we remark that: (i) The last round 
message of a SMT-PD protocol can only be from S to TZ 
as otherwise it can be removed without affecting the output 
of TZ. (ii) For generality we don't assume the interaction in 
a SMT-PD protocol should be back-and-forth, meaning that 
some consecutive rounds of the protocol may have the same 
sender and cannot be combined into one round. Under the 
effect of public channel, this provides a possible paradigm in 
designing SMT-PD protocols. E.g., both of the first two rounds 
of the protocol in ifTTl are from S to TZ, and are from TZ to 
S in ifTOl . 

Therefore, depending on the order of the first round, a 2- 
round SMT-PD protocol has two kinds of interactions. 

CASE 1 . In this case, the first round traffic is from TZ to S, 
while the second round is from S to TZ. Assume Cao = L 
i.e., the last t wires are corrupted. We illustrate the strategy 
of A in Fig. Q]and formalize it as follows. 

. Round 1: When TZ sends PiX x Y x = fi{C R ); A com- 
putes PiX[Y{ = fx{C R ) where C' R is the value com- 
puted from Cai and results in Pi over the public channel, 
hence A can leave the transmission over the public 
channel unchanged. This is always possible because the 
function table of /i is public and A is computationally 
unbounded. Thus A can find the set of random strings 
such that — {r \ /i(r) = PiX[Y{} and selects 
C' R <— fl. A will then replaces Y x by Y{. 

• Round 2: When S generates message P2X2Y2 = 
/2 (Ms , Pi X\ Y[,Cs), A blocks the transmission over the 
corrupted wires and outputs Ma = g(P2Y2,C' R ). 

Let E be the set of all executions of IT in presence 
of A. We consider a binary relation W over E such that 
(E, E) G W if, (i) Ms, Cs are the same in the two executions; 
(ii) C Ao © C A0 = L and (iii) C R = C' R ,C' R = C R , where 
' " ' in the superscript denotes the random coins used and 
messages output by A and TZ in E, respectively. Note that in 
the two executions, the t corrupted wires are swapped with 
the uncorrupted ones such that the messages received by A 
and TZ are swapped as shown in Fig. Q]and|2] 

For a pair of (E, E) € W, the first round messages received 
by S in E and E are identical and equal to P\X{Y\. Thus 
in the second round, S will generate the same traffic P2X2Y2 
in both E and E, and so if TZ outputs M R in E, A will 
output M| = M R in E since M R = g(P2X 2 ,C R ) = 
g(P2X 2 ,C R ) = M A . 

Let pe be the probability that execution E is running. 
Similarly define p E . Denote by S C E the set of executions 
with M R = Ms and so we have Py[M r = Ms] = 2~2egsP e ' 
Now M A = M s holds in E if M R = M s holds in E and so 
we have Pr[M A = M s ] > E E esP E - 

Observe that p E is completely determined by the probability 
of selecting Ms and other random coins of all the players. For 
any two executions (E,E) 6 W, we note that (Ms, Cs) = 
(Mg,Cg), while C R and C R are both selected with uniform 
probability. Moreover, when C R and C R are fixed, both of the 
probability of selecting C A and C A are 2' 1 ~^ l ° s l n H . We thus 
get p E = p E - 
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£ (M s ,Cs) 



A (Cao,Cai) 



£ (C R ) 



PiXiYl finds C^, 

PiX[Y( = fi(C' R ) 



P2X2Y2 



P2X2Y2 



blocks Y2, computes 



f 2 (M s , PiXiY{, C s ) M A = g(P 2 Y 2 , C' R ) 

Fig. 1. An execution E of EE in the presence of adversary A with C'ao = 1- 



c k = C R , 
PxXtYr = h{C' A ) 

blocks X2, computes 

M A =g(P 2 X2,C' k ) 



f 2 (M s ,P 1 X 1 Y{,C s ) 

Fig. 2. The swapped execution E of E with C^ = and Cp = C" R , C'^ = Cr. 



P 1 X 1 Y 1 



P2X2 



PiX[Y{ 



P2Y2 



P 1 X 1 Y 1 = h{C E 



M R = g(P 2 X 2 ,C R ) 



^ (c A ) 

p^y/ = /i(c A ) 

M, = 9 (P 2 F 2 ,C.) 



Then by Lemma [2] and above argument, 
1-5 < Pr[M R = M s ] < Pr [Ma = M s ] < 1/|M| + e. (4) 



Therefore, it has e 
assumption on II. 



5 > 1 — 1/IMI, which contradicts the 



CASE 2 . In this case, both of the two rounds traffic are from 
S to TZ. Intuitively, if n < 2t and S receives no feedback from 
TZ, A can just block the traffic over the t corrupted wires such 
that TZ has no advantage over A in recovering Ms. 

More specifically, considering two executions E and E in 
this case, where the random coins of A and TZ are swapped, 
and the corrupted and uncorrupted wires are also swapped. If 
A blocks the t corrupted wires, the view of TZ in E will equal 
the view of A in E. Then if TZ outputs Ms in one execution, 
A will output it in the swapped execution. By Lemma [2] and 
the assumption on IT, Eq. (|4]i holds also in this case, thus it 
follows that e + 5 > 1 - 1/|M|. ■ 

B. Impossibility of (r, \)-Round (e, 5)-SMT-PD Protocol when 
n<2t 

Theorem [2] shows that optimal (e, (5)-SMT-PD protocols 
need at least 3 rounds, while Theorem Q] shows that at least 
one round public channel invocation is necessary. A natural 
question thus is to find out if secure (r > 3, l)-round SMT- 
PD protocols can exist. As a warm-up, the following theorem 
gives a negative answer to the case that the invoker of public 
channel is specified initially in the protocol. 

Theorem 3: Let n < 2t and r > 3. Then a (r, l)-round 
(e, (J)-SMT-PD protocol with fixed invoker of public channel 
has either e + S > 1 - ^ or 6 > ±(1 - ^-). 

The proof is by contradiction: assume there exists a (r, 1)- 
round (e, i5)-SMT-PD protocol IT with fixed public channel 
invoker, where values of e and 5 do not satisfy any of the 
above inequalities. We construct an adversary who can break 
either the privacy or the reliability of IT. 

,4's strategy is to block the traffic (over the t corrupted 
channels) sent by the invoker of public channel, and to replace 



the traffic (over the t corrupted wires) sent to the invoker 
by forged traffic that is constructed according to the protocol 
description. Then, 

1) If the public channel is invoked by S, we will show that 
S cannot distinguish two swapped executions in which 
she has the same views. The two executions have the 
property that if TZ outputs M R = Ms in one execution 
then A outputs Ma = Ms in the swapped execution. 
Using an argument similar to Theorem [2] we prove that 
the adversary can break the privacy of the protocol and 
thus obtain e + 5 > 1 — tj^t. 

2) If the public channel is invoked by TZ, we will show that 
TZ cannot distinguish two swapped executions in which 
he has the same views. If in one execution TZ outputs 
Ms, he will output Ma in the swapped execution with 
the same probability. The two executions have the same 
probability and so when Ms ^ M A , we prove the 
adversary can break the reliability of the protocol and 
so obtain 5 > \{\ — nyfr)- 

Proof: We stress that in this proof the invoker of the 
public channel is already specified in the protocol, whereas the 
actual invocation round of the public channel can be adaptive 
to the protocol execution. The impossibility result will hold 
straightforwardly for the case that the invocation round of the 
public channel is a part of the protocol specification. 

As noted in the proof of Theorem [2] the interaction order 
in the protocol is not necessarily back-and-forth, and the last 
round is from S to TZ. Moreover, we also suppose the message 
distribution over M is uniform, and n — 2t and the adversary 
is static. 

We separate the randomness Ca (of .4) into four parts: 
{C M A , Cao, Cai , Ca2), where Cao € {0, 1} is used to choose 
one of the two subsets of t wires to corrupt (Cao = and 
Cao = 1 are use d f° r the first or the last t wires, respectively), 
Cai is used to generate traffic for substituting the message 
sent by S, Ca2 for generating traffic to substitute the message 
sent by TZ, and Cm a denotes the randomness of A uniformly 
selecting a message from M to impersonate 5's traffic. 
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£ (M S ,C S ) 



x 2 y' 



— (Cm a ,Cao,Cai,Ca2) 

blocks Fi 

^3-/3(^1,^2) 



x L 



X,Y, 



X ;; y ; ; 



S (C fl ) 



x 2 y 2 = / 2 (x 1 ,c7 i? ) 

^3 = /3(4Cli) 



/,(M Sl i 2 y 2 ',...,c s ) 



blocks Yj 



PiXi 



Xi+iY' 



■ A ~i+l I i+l — 
fi+l{Yl, ■ ■ ■ , Ca2] 



fi+l{X\, ■ ■ ■ , Cr) 



f i+2 (M s ,X 2 Yl...,C s J 



X z + 2 Yi- 



blocks Yi 



i+2 



f r (Ms,X 2 Yl,...,Cs) 



X r Y r 



blocks Y r 



x, 



M R = g(X 1 ,...,X r ,C R ) 



Fig. 3. The behaviors of A in an execution where the public channel is used by 5 and Cao = !• 



CASE 1. [S invokes the public channel.] We show that in 
this case A will break the privacy of II. Without loss of 
generality, assume Cao = L We describe the action of A 
as follows: in round 1 < j < r, 

. When S sends XjYj or PjXjYj, A blocks Yj. 

• When TZ sends XjYj, A computes X'jYj = 
f j (M j A ~ 1 ,C A 2), then replaces Yj by Yj. (Here M^" 1 
denotes the messages eavesdropped by A during the first 
j — 1 rounds.) 

Finally, A outputs M A = g(M r A , Ca 2 )- 

The above strategy of A is also shown in Figf3] Note that A 
can block and forge messages as above since A can randomly 
select Ca to generate messages {XjYj}, and make them 
consistent with the requirement of protocol II. Also note that 
Cm a = -L and Cai — -L since A needs not to impersonate S 
in this case. 

Let E be the set of executions of II. We define a binary 
relation Wi over E to specify two executions E and E as 
follows: (E, E) G Wi if: (i) (M s , C s ) are the same for both 
executions; (ii) C AQ 

Gr = C At 

Claim 1: (i)The view of S in E is the same as her view in 
E; and (ii)the view of A in E is identical to the view of 1Z 
in E. Thus the output of 1Z in E is the same as the output of 
A in E. That is, Mr = M A holds. 

Proof: Without loss of generality assume in execution E 
we have Cao = 1 an d the public channel is used in round i. 
Also assume during the first i — 1 rounds, 7£ is the initiator of 
rounds {r 1; . . . ,r^} C {1, . . . , i — 1}, ordered nondecreasingly. 
We first prove statements (i) and (ii) hold during the first 
re rounds, then using the same technique we will prove the 



Cao — 1; an d (iii) Ca2 — C R and 



statements hold in the later rounds and thus prove Mr = Ms. 

The proof is by induction over I. When t = 0, the state- 
ments (i) and (ii) hold trivially from the facts that S doesn't 
receive messages in the first i — 1 rounds and C A0 ©Cao = 1- 

For each j < r, suppose that the statements (i) and (ii) hold 
in the first Tj rounds for I = j. The induction hypothesis states 
that = {X k } k<rj and = {Y k } k<rj are swapped, 
while Mg are the same in executions E and E. Our objective 
is to prove that the statements (i) and (ii) also hold during the 
first re rounds for £ = j + 1. Note that in all those rounds k for 
rj<k< rj + i, transmissions are only from S to 1Z. Formally 
the message of each round k is X k Y k = f k (M r s 3 ,Cs), and 
TZ and A will receive {X k } r . <k<rj+1 and {Y k } rj<k<rj 
respectively. Thus M^ 1 ' 1 = U {X k } rj<k<r]+1 
MX 1 ' 1 = M r j U {Y k } Tj<i<r . As C Ao © Cao = 1, it 

follows that M^ +1 and M7 +1 ~ are swapped in E and E 

(i) 



+i 
and 



Let X rj+ X j+X 



-i-i 



md^4 +1 '\CR)f^l(Mj +1 -\C A2 ) 
be the messages received by S in round r^+i of E. Then S 
will receive the same messages in round r J+ i of E because 
C A 2 = C R , C R = Cj^, and then M^ +1_1 and M2 +1_1 are 
exchanged in E and E. Thus the statements (i) and (ii) hold 
during the first r J+ i rounds. 

Henceforth, S will send X k Y k = f k (M k s ,C s ) = 
/fc(Mg ,Cs) in each later round k for re < k < i. Observe 
that in these rounds S won't receive messages from TZ. Thus 
if S invokes the public channel in round i of E, it will do 
the same in E. And it follows that the view of and 
W A m E and E are swapped during the first i rounds. A 
similar argument shows that after the i-th round S will receive 
identical messages in the two swapped executions. Finally, the 
views of S in the two executions will be the same, but and 
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\ A are swapped in E and E. At the end of the protocol, we 



have M R = g(M R ,C R ) = g(M r A ,C A2 ) 



Mi, where IvT, 

A' a 



denotes the messages that A has eavesdropped in execution 
E. U 

Let Si G E be the set of all successful executions in which 
7Z outputs Mr = Ms, and pe denotes the probability of 
execution E determined by the random coins of all players. 
Define p E similarly. Then Pt[Mr — Ms] — Y^EeS P E - 
By Claim Q] if E G Si, A will output Ms in the swapped 
execution of E; therefore Pr[M^ = Ms] > 2~2egSi Pe- 

Additionally, by the definition of Wi and the observation 
of Cm a = Cai = J- in this case, we have, 

„„ — 1 o~rs-r R -r A2 -l 



where rs,rR, Tai denote the length of the random coins of 
Cs, Cr, Ca2 used by S, 7Z and A respectively. 

Now by Eq.©, and Lemma [2] it follows that Eq.© also 
holds in this case, then it yields that 1 — < e + 5, 
contradicting the assumption on II. 



CASE 2. [TZ invokes the public channel.] We will show 
that in this case the reliability of II will be broken. This is 
by showing that for every successful execution there exists an 
unsuccessful one and so probability of success is at most 1/2. 

Formally, the strategy of A is similar to CASE 1, that is 
when Cao = 1, then in each round 1 < j < r: 

. When K sends XjYj or PjXjYj, A blocks Y r 

• When S sends XjYj, A computes X'jYJ = 
fj{M A ~ l ,C A i) and replaces Y 3 by Y'.. (Here M^ 1 
denotes the messages selected and eavesdropped by A 
during the first j — 1 rounds.) 

Note that Ca2 — -L in this case. For simplicity, we abuse the 
notation Ma here to denote the uniformly selected message 
of A using coins Cm a - 

Let E and pe be as defined in CASE 1 and consider a 
binary relation W2 over E where (E, E) G W2 if: (i) Cr 
is the same in the two executions; (ii) C Ao © Cao — L and 
(iii) Cai = C s , C s = C Al ; (iv) M s = M A and M A = M s . 
Denote by S2 the set of successful executions in which TZ 
outputs Mr = Ms under the condition that Ma ^ Ms- 

Claim 2: For each swapped execution pair (E, E) G W2, 
the views of TZ in E and E are identical and so if E G S 2 is 
a successful execution, then E ^ S2 is a failed execution. 

Proof: Without loss of generality, assume 1Z invokes the 
public channel in round i of E, and during the first i rounds S 
is the initiator of rounds {r±, . . . , 77} C {1, . . . , i— 1} (ordered 
in nondecreasing order) in execution E, By induction on I, we 
can prove that 7Z will receive the same messages during the 
first rg rounds of the two swapped executions. This means that 
1Z will invoke the public channel in the same round i of E 
and E, both. Furthermore, we can prove 1Z will receive the 
same messages during the later rounds of the two executions. 
Thus, we have W R — M^,, where M^, denotes all messages 
that 1Z received in E. The proof is similar to Claim [T] 

Now because Ms and Ma are swapped in E and E, if 
1Z outputs Mr = g(M r R ,C R ) = M s in E, he will output 



swapped executions (E, E) G W2 when Ma ^ Ms, we have 

e^s 2 . m 

Claim 3: (i) The occur probability of any two swapped 
executions (E, E) G W2 is the same; that is pe = p E '< an d (ii) 
When Ms ^ Ma, the failure probability of 1Z in recovering 
the secret message is not less than the success probability of 
1Z; formally 

Pv[M R = M s I M s + M A ] 

< Vx[M R ± M s I M s + M A ], 

where the probability is taken over the random coins and 
messages selected by S, 1Z and A. 

Proof: (i) Note that an execution E G E is completely 
determined by the random coins and messages selected by 
all the players. Then for each E G E, we have pe = 
1^2-rs-ru-rA ^ w here rs,rR and ta denote the length of 
the random coins of Cs, Cr and C A , respectively. Similarly, 
we have p & = j^2- r s- r R- r A, 

As Ca2 = -L in this case, it has ta = t Ma + tao + Tai, 
where ru A , tao, tai denote respectively the length of C m a , 
Cao, Cai- Similarly, it has r A = t Ma + r Ao + r Al . 

Note that r A o = r Ao = 1 and t Ma = tm a = [log|M|]. 
By the definition of W2, we have that tr = r R , rs — r Al 



and tai 



Hence it has rs + tr + rA 



and then pe = Pe holds. 

(ii) Let S2 = E \ S2 denote the set of failed executions. 
Since E G S2 holds for any E G S 2 , and the one-to-one 
correspondence of E and E, we get that | S 2 1 < | S2 1 - The 
probability that n fails when Ma ^ A/5 can be computed as, 

Pr[M R ? M s I M s ? M A ] 
= Pr[£eS 2 ] 

— 2^2Ees 2 PE 

= Y,E£S 2 PE 

= Pi[Mr = Ms I Ms i= Ma]- 

■ 

From Claim|3]we must have Pt[Mr ^ Ms \ M A ^ M s ] > 
|; hence 

Pv[M R £ M s ] 

> Pr[M R + M s I M s ^ M A ] Pt[M s ^ M A ] 

> 1(1 



|M|. 



M R - g(M^,C R ) 



M A 



Ms in E. Thus for any two 



On the other hand, since n is a S reliable protocol, we have 
Pt[Mr ^ M s ] < 6. It follows that 5 > ±(1 - which 
contradicts the assumption on n. ■ 

C. Impossibility of (3, l)-Round PD-adaptive (e, 5)-SMT-PD 
Protocol 

Theorem [3] says when the invoker of public channel is 
known at the start of the protocol, then (r, 1) -round SMT-PD 
protocol is impossible. In this section we consider protocols 
that allow the invoker of public channel depends on the 
executions; or more precisely depends on the random coins of 
players. We call this type of SMT-PD protocols PD-adaptive. 

Definition 3: A (r, r')-round SMT-PD protocol n is called 
PD-adaptive if the invoker of the public channel and the 
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round of invocation of the public channel are not specified 
at the start but depend on Cs, Cp, Ca and Ms. 

More specifically, for each round 1 < i < r, let player 
P G {S,TZ} be the initiator of the round. Let M^T 1 be 
the set of all messages received by P during the first i — 1 
rounds and that = {Ms} and = 0. We denote by 
PiXiYi d = /,(Mp \C P ) the traffic of round i, where P l 
denotes the traffic over the public channel, and X; and Yi 
are the traffic over the two sets of wires, one all corrupted 
and one all uncorrupted. 

Traffic on the public channel, that is Pj = _L or Pj ^ _L is 
determined by M^T 1 and Cp. Moreover, it must have Pj = ± 
if the public channel has been used r' times before round j. 

Theorem 4: Let n < 2t. Then a PD-adaptive (3, l)-round 
(e, <5)-SMT-PD protocol must have 

3 



3e + 25 > 1 - 



IMI 



Proof: Suppose II is an arbitrarily PD-adaptive (3, 1)- 
round (e, (5)-SMT-PD protocol. We construct a static adversary 
A that breaks privacy or reliability of II and so prove that 
3e + 26 > 1 — should hold for any II. The message 
distribution is assumed to be uniform in this proof. 

A selects the first or last t wires to corrupt. In the rounds 
before invocation of the public channel, A conducts man- 
in-the-middle attack between S and TZ by tampering with 
the corrupted wires. When player P G {S, TZ} uses public 
channel, A simply blocks the corrupted wires and continues 
to cheat P by tampering the later transmissions (from the other 
player P to P) over the corrupted wires until the end of the 
protocol. 

Observe that despite P will learn the locations of corrupted 
channels, but since the public channel has been used, P cannot 
notify P. Thus A can continue to cheat P in the later execution 
of the protocol. We will prove that A can conduct the above 
attack and thus violate the privacy or reliability of the protocol. 

We use [A — B — C] to indicate the initiators of the first, 
second and third rounds are A, B and C, respectively. The 
proof is divided into four steps stated as lemmas, each proving 
an impossibility result for an interaction order. The omitted 
proofs can be found in Appendix [B] 

Lemma 4: If the interaction order of protocol II is [S — S — 
S], then e + 5 > 1 - fa. 

Proof: The invoker of public channel in this case must be 
S and so A only blocks the traffic over the corrupted wires. 
This is an special case of Theorem 2 and we have e + 5 > 

1 |M|- 

Lemma 5: If the interaction order of protocol II is [S — TZ — 
S], then e + 5 > ± - fa. 

Lemma 6: If the interaction order of protocol II is [1Z — 
TZ - S], then 3e + 25 > 1 - JU. 

Lemma 7: If the interaction order of protocol II is [TZ — 
S - S], then e + S > ± - fa. 

The above argument shows that a protocol with order [TZ — 
TZ — S] may have better security than protocols with other 
interaction orders. However, even in this case, the protocol 
cannot guarantee privacy and reliability at the same time. This 
completes the proof. ■ 



IV. An Round Optimal SMT-PD Protocol 

As noted earlier the modified version of the protocol in 
iflOl has optimal round complexity but has linear (in n) 
transmission rates over the wires and the public channel, while 
the complexity of protocol in is similar. 

In this section we describe a (3, 2)-round (0, <5)-SMT- 
PD protocol with constant transmission rate over the public 
channel, and 0(n) transmission rate over the wires (when the 
message is long enough). 



A. Our Construction 

The proposed protocol uses universal hash functions. 
Definition 4: Let m > i. A function family H = {h 



{0,1}' 



{0, 1}^} is called "/-almost strongly universal 



hash function family if given any ai,a 2 G {0, oi ^ a 2 , 
and any &i,6 2 G {0, 1} £ , it holds that Pr lU z H [H a i) = M 
h(a 2 ) = b 2 ] < 7. 



S randomly selects 
1 and sends the pair 



1) (S — > TZ): For i = l,...,n, 

n G {0, l} e and R t G {0,l} r 

(fi, Ri) to TZ along wire i. 
p 

2) (S < — TZ): For i = 1, . . . , n, if TZ correctly 
receives a pair (r,-,i?£) along wire i (i.e., r,- G 
{0, 1}*, R'i G {0, l} m ), he selects h t <- T and 
computes T[ = r[ © h,-(i?£); otherwise, wire i is 
assumed corrupted. He then constructs an indicator 
bit string B = b\b 2 ■ ■ ■ b n where &j = 1 if the wire i 
is corrupted and 6j = otherwise. Finally, he sends 
(B, (Hi, . . . , H n )) over the public channel, where 

Hi = (hi,T[) if bi = 0; and Hi is empty, otherwise. 

p 

3) (>S — * TZ): S ignores the wires with bi = 1. For 
i = 1, . . . , n, if bi = 0, cS computes Tj = r,©/ij(iij) 
and checks T[ = Ti, if Tj = T[, wire i is assumed 
consistent; otherwise, wire i is corrupted. 

S constructs an indicator bit string V = v\v 2 ■ ■ ■ v n , 
where u,; = 1 if wire i is considered consistent; 
otherwise Vi = 0. Finally, she publishes the pair 
(V, C — Ms © { © Ri}) over the public channel. 

TZ recovers the message: When gets (V, C), TZ 
recovers Mp — C © { © R^ } and outputs it. 

Vi—l 

Fig. 4. The (3, 2)-round (0, (5)-SMT-PD protocol ITi 



Corollary 1: Let Ti = {h : {0,l} m {0,1}^} be a 7- 
almost strongly universal hash function family. Then, for any 

(oi.ci) ^ (03, ca) G {0, l} m x {0, l} 1 , Pr heH [ci © h(ai) = 
c 2 ®h(a 2 )] < 2 e j. 

Proof: For equality c\ © h[a\) = c 2 © h{a%), if a\ = a 2 , 
then c\ — c 2 . Thus we only consider the case of a\ 7^ a 2 . 
Since 



Pr [ci8/i(oi) = c 2 ®h(a 2 )} 



Pr \h(ai) = c\ 
hen 



E 



> b A h(a 2 ) = c 2 © b]. 
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From Definition |U Pr hen [h(ax) = ci®bAh(a 2 ) = c 2 ffi&] < 7 
and so Pr^ e ^[ci © h(a{) = c 2 © h(a 2 )\ < 2^7, and the result 
follows. ■ 

Wegman and Carter ll2D constructed a 2 X ~ 21 -almost 
strongly universal hash family T — {h : {0, 1}™ — > {0, 1} £ }. 
Functions in T can be described by 0(£\ogm) bits and 
computed in polynomial time. The short description length 
of the family T allows us to authenticate messages with 
low communication complexity. The protocol ITi transmits 
M s £ {0, l} m to K is described in Fig. g] 

Theorem 5: The protocol 111 is a (3, 2)-round (0, (n — 1) • 
2 1 ~^)-SMT-PD protocol. Moreover, TIi is polynomial time 
computable, and its transmission rate is 0(n) over the wires 
and constant over the public channel when m = fl(n 2 K 2 ), 
where n is the reliability parameter of the system with 
S=(n-l)-2 1 ~ i =2- K . 

Proof: Let Cor = {i | wire i is corrupted}, and Con = 
{i I wire i is consistent}. 

• Reliability: If S can detect all corrupted wires with 
(rj, R[) 7^ (ri, Ri), the protocol is thus perfectly reliable; 
otherwise, one such a wire will break the reliability. Using 
Corollary 2, we show this probability is small. A more 
formal proof follows. 

In the second round the wires with bi = 1 are detected 
as corrupted, and are ignored in the third round. Hence 
in the following we only consider wires with bi = 0. For 
wire i, the wire is called bad if (ri,Ri) ^ (r^R^) but 
ri@hi{Ri) = r' i (Bhi(R' i ). Bad wires are always included 
in Con. Using Corollary Q] and noting that r%, R4, R[ 
are fixed before the second round and then hi is selected 
with uniform distribution, we have 



Pr[wire i is bad ] 

= Pr[ri®hi(Ri) 
< Pr[ri®hi(Ri) = r^ffi 



= r' i ®h i (R! i )A(r i ,R i )^(r' i ,R!i)} 
hi(B$ I (r i ,R i )^(r' i ,R' i )} 



where the probability is over the random coins of all the 
players. 

Then, the probability of unreliable message transmis- 
sion is 

Pr[M R ^ M s ] = Pr[© jeC on-Rj + ©ieCon-Rj] 

< Pr[3j e Con s.t. Rj ^ R'^ 

< Pr[3 at least one bad wire] 

< Ejecor Pr[wire j is bad ] 

< (n-l)-2 1 -\ 

where the probability is over the random coins of all the 
players. 

Perfect Privacy: The intuition for proving perfect privacy 
is as follows: the adversary can obtain transmissions 
related to Ms only from the public channel in round 3. 
However, Ms is masked by Ri (if wire i is uncorrupted), 
and the adversary knows nothing about Ri because the 
only transmission which depends on Ri is in the second 
round invocation of public channel (h(Ri)) which is 
masked by r, and is not known by the adversary. This is 



true because was only transmitted on a secure wire i. 
A more formal proof follows. 

Let Ms — m* be the message chosen by S and Ca = 
ca denotes the value of A's coin. We first describe ^4's 
view in the protocol. Observe that in protocol Hi Cor 
is formed completely in the first round since the last two 
rounds are only over the public channel. Then in the first 
round A sees {(rj, i?i)}i<=cor over the corrupted wires 
and modifies them into {{r' i: i?j)}iecor- In the second 
and third round, A sees respectively (B, (Hi, . . . , H n )) 
and (V,M © {ffii?j}iGCon) over the public channel. 
Since {(r-, i?-)}jgcor is computed by A using ca and 
{(rj, i?j)}j 6 cor (in adaptive way), and when A knows 
{(r^ i?j)}ieCor and {hi} ieCor , she can compute ({r- © 
hi(R'i)}ieCor, B) and (ffii e cornCon-Ri, V) by herself, 
we thus remove the computable part from her view and 
describe it as a 4-tuple of random variables as follows, 

V A (m*,c A ) = (c A ,V u V 2 ,Vz) 
= (ca, {(n, Ri)}ieCor, 

({hi}? =1 ,{n © hi{Ri)}i<±cov),m* © (ffi^cor^))- 

(6) 

where Vj is ^4's view in round i. 

For two messages mo, mi and Ca = ca, the statistical 
distance between VA(mo, ca) and Va(tii,ca) is given 

by, 

A(V A (m ,CA), V A (mi,c A )) 

= I Pr^A (m ,c A ) = v] - Pr[V A (mi,CA) = v] |, 

where the probability is over the choices of Cs and Cr. 
Then the term Pr[VA(mo, ca) — v] is given by, 

Pv[V A (m ,c A ) = v] 

= T,{c s ,c R :VA(mo,c A )=v} Pl i C S = C S AC R = Cr]. 

Note that Cs and Cr are independent and have length 
n(m + 1) and wk respectively, where w is the Hamming 
weight of the string B and k is the description length 
of function in T. Hence Pr[Cs = cs A Cr = cr] = 
2 r»(m+i)+mfc » note this value is independent of the value 
of mo. 

Therefore we only need to count the number of exe- 
cutions in which the coin tosses of the sender and the 
receiver are such that random variable Va^c ca) = v. 

Suppose that v — (ca, V\, V2, V3) is fixed, it implies 
that Cor and cr = {/ij}™ =1 are also determined; then the 
choices of {(rj, i?j)}j^cor should be consistent with V% 
and V3. Since ©j^cor-^j = V3 © m , when m ,V 3 are 
fixed, at most n — |Cor| — 1 elements in {i?j}j^cor ca n 
be selected freely. Moreover, when V2 and {i?j}j^cor 
are fixed, {rj}j^cor are also determined. Therefore, the 
number of Cs, Cr result in Va(too, ca) = v are bounded 
by the number of Ri for i ^ Cor. Totally, they have 
2 m ("~ |Cor|-i) different choices. Hence we have, 

2^m(n—\ Cor I — 1) 

Pr \Va (mo, ca) = v] = — nr, — 1~- 

The proof is complete by noting that the above prob- 
ability is independent of mo. 
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• Complexity: Since the hash function is polynomial time 
computable in m, the computation complexity of S and 
1Z are polynomial in n and m. For communication 
complexity, Hi needs to communicate m + I bits over 
each wire, and at most (4s log m + I + 2)n + m bits 
over the public channel, where s = £ + log log m. If the 
reliability requirement is set to 8 = 2~ K = (n — 1) • 2 1 ~ e , 
then £ = k + log(n — 1) + 1. The transmission rate 
over the public channel assuming m = fl(n 2 K 2 ), is 
((4s log m + I + 2)n + m)/m which is constant asymp- 
totically. 



B. Comparisons with Schemes in MOV 

As noted earlier communication over public channel is 
much more costly than communication over wires, and so 
minimizing the transmission rate over the public channel will 
have a large effect on overall efficiency of the protocol. This 
is particularly important for transmitting long messages. For 
example in most cases n = 30 provide sufficient reliability. 
However messages can be as long as 2 20 bits. When n = 30 
wires are available, our proposed protocol transmits around 
2 20 bits over the public channel with reliability higher than 
1 - 2~ 30 (since m > n 2 K 2 ). The protocols in |9), (10| both 
have transmission rate 0(n) and so need to send almost 30 
times data (30 x 2 20 w 2 25 bits) over the public channel. The 
reliability is l-2-°( m ) = l-2- 22 ° in (9), (TO], which would 
be unnecessarily high. 

V. Conclusion and Further Research 

In this work we considered round optimality protocols for 
secure message transmission (SMT) by public discussion. This 
is an important communication model in realizing almost- 
everywhere multiparty computation. Since the implementation 
cost of public channel is high, it is important to minimize 
transmission over the pubic channel. Our results show that 
secure protocol in this model need at least 3 rounds and in 2 of 
them the public channel must be invoked. We prove this result 
in a general setting where the invocation of public channel is 
not known at the start of the protocol and depends on the coin 
tosses of participants. We describe a round optimal protocol 
that has constant transmission rate over the public channel and 
linear transmission rate over other wires. 

Existence of PD-adaptive SMT-PD protocols with r > 4 
rounds and one round public discussion, and construction of 
round optimal protocols with optimal communication com- 
plexity over wires and public channel (if there exists) are 
interesting open problems. 
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Appendix 

A. Proof for Lemma \3\ 

Proof: By Definition Q] and Lemma Q] we have: For 
any algorithm T>, any two messages mo, mi E M, and any 
adversary B with randomness cb E {0, 1}*, 

|Pr[X>(Vi,(roo,CB)) = 1] - Pr[D(V B (m u c B )) = 1]| < e, 

(7) 

where the probability is over the random coins of S and 1Z. 
Note here V B (m, c) is (the random variable of) the view of B 
when the (fixed) message m £ M is transmitted and B uses 
the (fixed) coins Cb — cb in the protocol. 
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Assume in the first round S sends X{¥i and let the sets 
fix C M x {0, 1}* and fl 2 C x {0, 1}* be defined as 

fij = {(m, ci) | fi(m, c\) doesn't use 
public channel } 

and 

f} 2 d = {(to, ci, c 2 ) I (m, ci) G Qi, c 2 G {0, 1}* 
s.t. f2(X[Yi,C2) doesn't use public 
channel where X[Y{ = /i(m, ci)}. 

We have (Ms, C s ) G Qi. If fi 2 ^ 0, A randomly chooses 
(Ma,Cai,Ca2) <— ^2; otherwise, A randomly chooses 

{M A ,C A1 ,C A2 ) x {0,1}*. 

Fig. 5. The strategy that .4 selects (Ma, Cai , Cai) when <S 
doesn't use public channel in round 1. 



Then by taking average over the randomness of Cb, the 
following holds from Eq.Q 

I Pr[V(V B (m )) = 1] - Pi[D(V B ( mi )) = 1]| < e, (8) 

where Vs(m) denotes the view of B when the fixed message 
to G M is transmitted in the protocol, and it is a random 
variable over the random coins of S, 1Z and B. 

The adversary's strategy consists of: selecting messages 
(Mq, Mi) followed by attacking the protocol and so we write 
B = (Bi,B 2 ). We use Cbi to denote the random coins used 
by Bi to select (Mo, Mi). Let p Q = Pr[B" (mo) () = 1] and 
Pl d = Pr[B° (mi) () = l]. We have, 

|Pr [£ n ( M °)() = 1] - Pr [B n( - M ^() = l] | 
= \Y,c b1 =c Ft [ c bi =c](jpo-pi)\ 

< J2c B1 =c P ^ B1 =c\\p - Pl \ 

< e. 

The last step follows from the observation that \po — p% \ < e 
due to ©. ■ 



B. Proofs Omitted From Theorem 

As in the proof of Theorem [3] we separate A's random 
coins into four parts: (Cm a , Cao, Cai, Gas)- For the sake of 
clarity, the message selected by A using randomness Cm a is 
denoted by M A , while the message outputted by A by the end 
of the protocol is denoted by M\. 

1 ) Proof of Lemma \5} 
The public channel can be used in any of the three rounds. 
For simplicity, we assume Cao = 1, i.e., A selects the last 
t wires to corrupt. The actions of A is illustrated as in Fig. 
[6j |7] and [8] respectively. (We remark that when Cao = 0, .A's 
action is similar.) The detail of A selecting (M A , C A \, C42) 
when S doesn't use the public channel in the first round is 
supplied in Fig. [5] 

We remark that: (i) When S doesn't use public channel 
in round 1 and 7^ 0, the strategy as described in Fig. 
[5] ensures that A can produce message X2Y2 without public 
channel communication in the second round, (ii) Since A is 
computationally unbounded, she knows /1 and /2's function 
tables and so knows the sets VL\ and f^- Thus A can conduct 
the above attacks. 

We analyze the success probability of A in the following. 
Let £1 and £3 denote the events that S invokes the public 
channel in round 1 and 3, respectively. Let £ 2 be the event 
that 1Z invokes the public channel in round 2. Then £%, £2 
and £3 are disjoint events and Pr[£i V £ 2 V £3} = 1 since IT 
is a (3, l)-round protocol. 



Claim 4: Let b G {1, 3}. If £b occurs, we have 

Pr[M+ = M s I £ b ] > Pr[M R = M s | £ b }. 

Proof: (i) We first prove the case of b = 1. Denote by Ei 
the set of all executions where £\ occurs, and by Si C Ei the 
set of successful executions in which 1Z outputs Mr = Ms. 

Define a relation Wi C Ei x Ei, where (E,E) G Wi 
if: (i) Ms,Cs remain unchanged in the two executions; (ii) 
C AQ © Cao = 1; (iii) C A2 — C R , Cr — C^ T 

Similar to CASE 1 in Theorem 2, we can prove that S 
cannot distinguish two swapped executions (E, E) G Wi and 
so if Mr — Ms, we have = Ms. Furthermore, we have 
p E = j^2~ rA ~ rR = P E , where <£> C M x {0, l} rs is the set 
of all (Ms,Cs) such that £\ occurs, and rs,r A ,rR denote 
the length of the randomness used by <S, A, 1Z, respectively. 
We then obtain, 

Pr[M+ = M S I £1] > J2 E e Sl PE 

= Pr[M R = M s I £1]. 

(ii) When 6 = 3, let E3 be the set of all executions where £3 
occurs, and S3 C E3 be the set of all successful executions in 
which 1Z outputs Mr = Ms- Define a relation W 3 C E3XE3, 
where (E, E) G W 3 if: (i) M S ,C S and M A ,C A i remain 
unchanged in the two executions; (ii) C^ © Cao = L (iii) 
Ca2 = C R , Cr = C^ 2 . 

Then by a similar proof of CASE 1 in Theorem 2, we have 

Mf = Mr. 

For any two executions (E, E) G W3, 
suppose (Ms,C s ,Cr,C a ) = (ms,cs,c R ,c A ) and 
(M S ,C § ,C R ,C A ) = (m s ,c s ,c R ,c A ). Then the 
probability that E occurs is p B = Pr[(Ms,Cs) = 
(to s ,cs) A Cr = c R A Ca = ca I £3} = ol ■ 0, where 
a = Pr[(M s ,C,s) = (m s ,c s ) | £3] and (5 = Pp[Ca = 
ca A Cr — cr I (M 5 , Cs) = (to s ,cs) A £3]. Similarly, it 
has p E = Pr[(M s , C s ) = [m§,c§) A C R = c R A C A = c A \ 
£3] = a ■ $, where a = Pr[(M s ,C s ) — (m§,cg) | £3} and 
P = Pr[C A = c A AC R = c R I (M s , C s ) = (m s , c s ) A £3}. 



12 



£ (M S ,C S ) =4 (Cao,Ca 2 ) ^ (Cr) 

PiXiYi = PiX 1 y 1 PiJd 
A(M S ,C7 S ) ^ blocksr i ^ 

^ x 2 r 2 ' = x 2 y 2 x 2 y 2 = 

* f2{PiY l ,C A2 ) * h{PiX u C R ) 

blocks Y 3 , 

A3 Y 3 = -X3Y3 - -_|_ _ X3 Mr = 

f 3 (M s ,X 2 Y>,C s ) " Imvvr^ " g(P 1 X 1 ,X 3 ,C R ) 

Fig. 6. An execution of II with order [S — 1Z — S] , where Cao = 1 ar| d S uses the public channel in round 1 . 

£ (M S ,C S ) =4 (Cao) 2£ (C H ) 

ffu'r^ — ^ (M A "cTc A2 ), >. 

/l(Ms ' Cs) X'Y{ = f 2 (M A ,C A1 ) 



p 2 x 2 u,„„,„^ . *W* Y * P2X2Y 



blocks Y 2 



2 



f 2 (X 1 Y{,C R ) 



X 3 Y 3 = x a Y 3 X' 3 Y 3 ' = X 3 Yj m r = 

f 3 (M s ,P 2 X 2l C s ) " fc(M A ,P 2 Y 2 ,C A1 ) * g{X 1 X' x ,X 3 Yi,C R ) 



Fig. 7. An execution of II with order [5 — 75.-5], where Cao = 1 ar| d 72- uses the public channel in round 2. 



£ (M Sl Cs) =4 (Cao) ^ (C R ) 



x 2 y 2 ' x' 2 Y 2 ' = x 2 y 2 X 2 Y 2 = 

" /a(^y ls C^) " f2(XiY{,C R ) 

„ ,^ ,^ blocks I3, 

= commutes M+ - ft * 3 Mfi = 

/ 3 (M s ,X 2 r 2 ' ; C s ) J3p!V) ff(^,^ 3) C fl ) 



Fig. 8. An execution of II with order [5 — 1Z — 5], where Cao = 1 ar| d 5 uses the public channel in round 3. 



Obviously, it has a = a as (Ms,Cs) — (Ma,C§). The 
following is to prove (3 = /3. Since (M A , C A i) — (M A , C A1 ), 
this is equivalent to proving 

Pr[C A2 = c A2 A C R = cr I X] 

where X denotes the event that (Ms,Cs) = (7715,05) A 
(M a ,C A q,C A i) — (m A , c A0 , c A i) A £ 3 , and X denotes 
the event that (M§, C§) = (m§,c§) A (M A , C AQ , C Al ) = 
{m A ,c Ao ,c Al )AS 3 . 

Note that Cr is uniformly selected by 1Z and C A2 is selected 
by A in the first round without seeing any information about 
Cr. Hence C A2 and Cr are independent. Similarly, C ' A2 and 
C R are independent. 

Then Eq.® can be expressed as 

Pr[C A2 = c A2 I X] Px[C R = c R \ X] 

= ^[C A2 = c A2 \X]Yv[C k = c R \X\. 

Let $ = {c I f 2 (X[Yi, c) doesn't use public channel}; 
where X[Yi comes from X\Yi — fi(rns,cs) and X[Y[ = 



fi(m A , c A i). Since C A2 is uniformly selected from $, we 
have Pr[C y i2 = c A2 \ X] = r^r. Furthermore, when X occurs, 
from the definition of W3 we have that C R is in <i>, which 
implies Pr[Cj=, = c R \ X] = -ir. Similarly, we get 

Pr[C R = cr I X] - Pr[C l2 = c A2 I X]. 

We thus prove the equality of Eq.©, which implies that 
Pe =Pe> anc l men 

Pr[M+=M s \E 3 ] > E E es 3 P E 
= Eues, PE 
= Pr[M R =M s I £3]. 

■ 

Claim 5: Pv[M R ^ M s \ M s ^ M A A £ 2 ] > Pr[M R = 
M s \ M s ^ M A A £ 2 }. 

Proof: Denote by E2 the set of all executions where £ 2 
occurs. Let S2 C E2 denote the set of executions in which 1Z 
outputs Mr = M s given that M A ^ M s . 

We define a relation W 2 C E 2 x E 2 such that {E, E) E 
W2 if: (i) Cr remains unchanged in the two executions; (ii) 
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C Ao © C AQ = 1; (iii) CUi = Cj, C s = C Al ; and (iv) M s = 
M A ,M A = M § . 

Then 7?. cannot distinguish two swapped executions (E, E) 
in W2 and if E G S2, we have E ^ S2. Moreover, for any 
E G E2, a proof similar to case (ii) in Claim [4] can be used 
to prove that ps = p E - We thus have, 

Pv[M R ? M s I M s ± M A A £ 2 ] 
= Pr[£^S 2 ] 

— J2EeS 2 PE 
= Y,E£S 2 PE 

= Pr[M R = M s I M s + M A A £ 2 ]. 



From Claim |4] and [5] we have 

Pr[M+ = M s ] 

> Pr[M+ = M s I £1] Pr[£ a ] 
+ Pr[M+=M s I £ 3 ] Pr[£ 3 ] 

> Pr[M R = M s A £1] + Pr[Mij = M s A £3] 



(10) 



and 



Pr[M fl ^ M s ] 

> Pr[M R + M s I £2] Pr[£a] 

> Pr[M R ± Ms I Ms ^ M A A £ 2 ] 

■ Pr[M s ^ M A I £ 2 ] Pr[£ 2 ] 

> Pr[M fl = Ms I Ms ^ M A A £ 2 ] 

■ Pr[M s ? M A A £ 2 ] 
= Pv[M R = M s A£ 2 } 

•(1 - Pr[M s - M A I M R = M s A £ 2 ]) 

> Pr[A/ fi = Ms A £ 2 ] - Pr[M A = M s ] 

Moreover, we also have Pr[M^ = Ms] < e + 



(11) 



as 



otherwise by choosing Mt to be M A , we have Pr[M^ 
Ms] > e + -fa, which contradicts Lemma [2] 
Hence, it has 

Pr[M+ = Ms] + Pr[M fl ^ M s ] 

> Pr[Mij = M s A £1] + Pr[Mi? = M s A £3] 

+ Pr[M fl = Ms A £ 2 ] - Pr[M A = M s ] 
= Pv[M R = M s ] - Pr[M A = M s ] . 



Thus, by noting that Pr[M~] 
Pr[M A = M s ] < e 



1 

[Ml 



= M S ] < e + fa, 
and Pr[M s ^ M R ] < 5, 



we get e + 5 > ± - fa 



2) Proof of Lemma® Assume C A o = 1> we illustrate .4's 
strategy as follows. 

Round 1: (i) if 7?. uses public channel, A just blocks the t 
corrupted wires. Then A selects (M Al C A x) <— M x {0, 1}*, 
and sets C A2 = _L 

(ii) Otherwise, assume 1Z sends out -XiYi.. Consider the 
following two sets 



del 



f2 2 = {c | c G S7i s.t. /2(c) involves no public 
channel communication}. 

Obviously, C R G O x . Then if 1 2 1 > 0, A selects C A2 <— f2 2 ; 
otherwise, selects C A2 <— fii. .4 also chooses (Ma, CUi) <— 



{c I c G {0, 1}* s.t. fi(c) involves no public 
channel communication}, 



M x {0, 1}*, then computes X[Y( = fi{C A2 ) and replaces 
Vi by Y{. 

Round 2: (i) if 1Z uses public channel in this round or public 
channel has been used in round 1, A just blocks the corrupted 
wires, (ii) Otherwise, suppose 1Z responses X 2 Y 2 , it has C R G 
f2 2 , then the selection of C A2 ensures that A can produce 
message X 2 Y 2 without public channel communication. A thus 
replaces Y 2 by Y 2 . 

Round 3: (i) If S sends out P3X3Y3, A just blocks I3, 
and computes M\ = g^PsY^, C A2 ). (ii) Otherwise, assume S 
sends out X3Y3, it implies that public channel has been used 
in the first two rounds, A thus computes X3Y3' and replaces 
^3 by Yl 

Then by a similar calculation of Eq. (TlOt and (fTTT i. we get 



Pr[Mij ^ M s ] 

> Pr[M R = Ms A £1] 
-2Pr[M s = M A ] 



Pr[M R = M s A £ 2 ] 



and 



Pr[M+ = Ms 



> Pr[M+=M s A£ 3 ] 

> Pv[M R =MsA£ 3 ], 



where £\ , £ 2 denote the events that 1Z uses the public channel 
in round 1 and 2 respectively, and £3 denotes the event that 
S uses the public channel in round 3. Finally we obtain 

3e + 26 > 1 



3 

1MT 



3 ) Proof of Lemma [7} 
^4's strategy with C A o = 1 is described as follows. 

Round 1: (i) If 1Z uses public channel, A just blocks the t 
corrupted wires; (ii) otherwise, assume 1Z sends out X{Yi, A 
selects C A2 from the set of 



fix 



def 



= {c I c G {0, 1}* s.t. /i(c) involves no public 
channel communication} 



and computes X[Y{ = fi(C A2 ), then replaces Y\ by Y[. 

In the latter two rounds: (i) If 1Z does not use the public 
channel in round 1, it says S will be the invoker of public 
channel, thus A just blocks the corrupted wires, (ii) Otherwise, 
A chooses (M A , C A1 ) <- M x {0, 1}* and computes X' 2 Y 2 ' 
and X3Y3, then modifies the corrupted wires. 

We note that the impossibility proof in this scenario is 
similar to Lemma [5] and thus omit it here. ■ 



